Thycotic’s Cyber Security Publication

How to create an Enterprise Password Policy that gets used

January 6th, 2017

What does the human brain have to do with Security? And most importantly, what does it have to do with password policies in the enterprise?

Understanding how the human brain works (at a high level) can help your create the best Password Policy for your organization.

Humans are fallible: we make mistakes and we forget things. In fact, the human brain is completely wired to forget as much as possible. Can you imagine what it would be like if you remembered every single detail of every day of your entire life? It would be complete overload and you wouldn’t be able to handle it well.

So how do we deal with forgetting? We create shortcuts!

Humans create mental and physical shortcuts in order to retain as much information as possible.

So, if people are great at forgetting and really good at creating shortcuts, then why do we ask them to create unique and complex passwords? Do you see the conundrum here? We ask our employees to create complex passwords that we know they will forget, which requires them to create shortcuts in order to remember and use those passwords.

Here are some common password management shortcuts that are likely being used by someone in your organization:

• Writing the password on a notepad or in an Excel spreadsheet—see why that’s a bad idea here
• Using the same password in multiple locations
• Following a pattern for consecutive password changes (going from Password1! to Password2! makes it easy to guess what your next password will be)
• Sharing a single password among multiple people

All these shortcuts lead to insecure password practices, which easily lead to a compromised infrastructure; they have no place in today’s enterprise.

So how do we create an Enterprise Password Policy that actually gets used?

1. Take the human element out of the equation whenever you can – Use a password manager that doesn’t require a user to remember their password to login to sensitive systems. (You can compare password managers here.)
2. Remove unnecessary password rotations – I’m going to have to side with the NIST’s proposed password security policy changes coming up on this one. Your organization should practice strong password policy, but forcing a user to pick a new password themselves leads to things like patterns in passwords. Now, if you have a password manager, then automatic rotation is just fine, because there is no downside to this practice when a piece of software is handling it.
3. Be careful with overly complex requirements – Remember, the harder you make something to remember, the faster your employees will make shortcuts to remember those passwords. If your password policy requires a capital letter, lower case letter, special character, a number, no two consecutive letters or numbers, and 12 characters long – there is no way I’m going to remember that password. Never. Ever.
4. Two Factor Authentication –Two Factor Authentication (2FA) needs to become a mandatory requirement in anything that requires a password, with an alerting system when a password is attempted without 2FA (early signs of password compromise). Personally, I’ve had numerous accounts saved from breach due to 2FA. There aren’t too many ways to get around this one for attackers. And honestly, their time is better spent trying to go after accounts that don’t have 2FA.
5. Don’t think like an Admin – What will the average employee do? Yes, they should protect their passwords. Yes, they should be all unique. Yes, they should make them hard to guess.

But will they? There are two sides to this story: what we should be doing, and what we will do. Which is why I refer back to number 1…

Take the Human Element out of the equation

Have your existing password policies lead your employees to choose insecure or weak passwords? Download our Weak Password Finder Tool to find out. You will receive a quick summary letting you know how many passwords in active directory are found in common dictionaries, non-unique, or using legacy algorithms to protect them.